Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
102s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 15:37
Static task
static1
Behavioral task
behavioral1
Sample
0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe
Resource
win10v2004-20220812-en
General
-
Target
0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe
-
Size
354KB
-
MD5
83761132829c5db2b954ef6a641cac00
-
SHA1
f8c0006b25632be95488a939fe371481aa7c3327
-
SHA256
0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4
-
SHA512
5c51ee072f10b229997a3ae789e10646cd360019949ee1ae37b518ba7af6e7b67c73de76b519444d087052607198bb48977676d7b028ce2c44733e209a682a99
-
SSDEEP
6144:aTfFDbRnOTrz+7cJMY/jJNjtMxAsidvZMi7hUAPqozEmdN+pb1usGodoWp4bCMCj:I5Of/jJNjt4AvdBMKUGqoTuDuMdH4JCj
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2900 dnf.exe 1492 panlong.exe -
resource yara_rule behavioral2/files/0x0006000000022e04-134.dat upx behavioral2/files/0x0006000000022e04-133.dat upx behavioral2/memory/2900-135-0x0000000000400000-0x0000000000413000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation dnf.exe -
Loads dropped DLL 1 IoCs
pid Process 5016 rundll32.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files\MSN\MSNCoreFiles\newalrt.wav dnf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1492 panlong.exe 1492 panlong.exe 1492 panlong.exe 1492 panlong.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe 5016 rundll32.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1492 panlong.exe 1492 panlong.exe 1492 panlong.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1492 panlong.exe 1492 panlong.exe 1492 panlong.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1492 panlong.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4404 wrote to memory of 2900 4404 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe 79 PID 4404 wrote to memory of 2900 4404 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe 79 PID 4404 wrote to memory of 2900 4404 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe 79 PID 2900 wrote to memory of 5016 2900 dnf.exe 80 PID 2900 wrote to memory of 5016 2900 dnf.exe 80 PID 2900 wrote to memory of 5016 2900 dnf.exe 80 PID 5016 wrote to memory of 4708 5016 rundll32.exe 81 PID 5016 wrote to memory of 4708 5016 rundll32.exe 81 PID 5016 wrote to memory of 4708 5016 rundll32.exe 81 PID 4404 wrote to memory of 1492 4404 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe 82 PID 4404 wrote to memory of 1492 4404 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe 82 PID 4404 wrote to memory of 1492 4404 0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe"C:\Users\Admin\AppData\Local\Temp\0adb8f2a47d5a4348ed782e3ff6d5237a0ed4bce0279ee5b50b9d72c76298cf4.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\windows\temp\dnf.exe"C:\windows\temp\dnf.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" 272F.ime,Runed C:\windows\temp\dnf.exe3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe4⤵
- Modifies registry class
PID:4708
-
-
-
-
C:\windows\temp\panlong.exe"C:\windows\temp\panlong.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1492
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42KB
MD52f2d22097457f546ab9bdc242efbd463
SHA15583f45a7a090b3505f225a60caf4c49f7ee55b8
SHA256418f7d4358dc62ff7758171aca1edf1a25eddc376ceaa7e7baf2c19b6f197228
SHA512386b6e1e95bdfab2a7a53a71fdac71201ae43a9b7f99c23b0d9b64d048e92dae397cc2c32d386834db4d2eea871a01460012968dcf98dfdd92eacd88eeb3779f
-
Filesize
42KB
MD52f2d22097457f546ab9bdc242efbd463
SHA15583f45a7a090b3505f225a60caf4c49f7ee55b8
SHA256418f7d4358dc62ff7758171aca1edf1a25eddc376ceaa7e7baf2c19b6f197228
SHA512386b6e1e95bdfab2a7a53a71fdac71201ae43a9b7f99c23b0d9b64d048e92dae397cc2c32d386834db4d2eea871a01460012968dcf98dfdd92eacd88eeb3779f
-
Filesize
32KB
MD57f13038784e1fb3fb68fde244dbe26ae
SHA116254b823bd771621ea37a9a768e707b93a40471
SHA256babad5bee83c04bc76ed15553b2f03d76a9ed0a0529a9fde694a8e88e82ac8f5
SHA512340439d33bad388d518d68fb1cd18652c64179c3090e64aaeae2c49a45e90ba18a0f7f886602215a60b59b7c05548075e3f7dce76628a72bbdb585c9fafebeb0
-
Filesize
412KB
MD5e28cb009daf185fd3176045f4005b787
SHA1a0816a05b531e590d91e29bf84f0fcba90a0ca22
SHA256ce3f8cba4fe408e6f1c9ddebaa7523fe361ac494fe95ba83bdd202c457fd0963
SHA51288e3f179655d8ced7e83a2674f585abba481157ffdee9014c5d9deca7d52bd90cd624c7b94f663752743c64c9a1648947e97a49e5cbc8e4536383ac748243238
-
Filesize
32KB
MD57f13038784e1fb3fb68fde244dbe26ae
SHA116254b823bd771621ea37a9a768e707b93a40471
SHA256babad5bee83c04bc76ed15553b2f03d76a9ed0a0529a9fde694a8e88e82ac8f5
SHA512340439d33bad388d518d68fb1cd18652c64179c3090e64aaeae2c49a45e90ba18a0f7f886602215a60b59b7c05548075e3f7dce76628a72bbdb585c9fafebeb0
-
Filesize
412KB
MD5e28cb009daf185fd3176045f4005b787
SHA1a0816a05b531e590d91e29bf84f0fcba90a0ca22
SHA256ce3f8cba4fe408e6f1c9ddebaa7523fe361ac494fe95ba83bdd202c457fd0963
SHA51288e3f179655d8ced7e83a2674f585abba481157ffdee9014c5d9deca7d52bd90cd624c7b94f663752743c64c9a1648947e97a49e5cbc8e4536383ac748243238